Bitcoin Forum
December 14, 2024, 11:57:31 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit  (Read 4210 times)
BitcoinPorn (OP)
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
June 29, 2011, 08:13:48 PM
 #1

http://www.securelist.com/en/blog/208188132/Gold_rush

Quote
Today our analysts detected a new threat spreading in the Russian sector of the Internet – Trojan.NSIS.Miner.a. This Trojan has two components – the legitimate bcm.exe file BitCoin Miner (not-a-virus:RiskTool.Win32.BitCoinMiner.a), and a malicious module that installs bcm without the user’s knowledge and adds it to the autorun registry. The infected computer then starts to generate bit-coins for the Trojan’s author.

Of course, the Trojan’s code clearly indicates the server address where the cybercriminal’s account is located.



We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.


Found from http://www.reddit.com/r/Bitcoin/comments/icgo4/trojannsisminera_used_to_secretly_mine_bitcoin_on/

gentakin
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
June 29, 2011, 08:18:30 PM
 #2

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
SlaveInDebt
Hero Member
*****
Offline Offline

Activity: 699
Merit: 500


Your Minion


View Profile
June 29, 2011, 08:31:27 PM
 #3

How about other pools? They have measure's in place against this?

"A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain." - Mark Twain
finack
Member
**
Offline Offline

Activity: 126
Merit: 10


View Profile
June 30, 2011, 12:40:27 AM
 #4

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500



View Profile WWW
June 30, 2011, 09:54:16 PM
 #5

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.
That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.
No. In this "warning" state at the moment of taking this screenshot all account/workers configuration options are disabled, but mining still continues and he gets his reward.
Then if we don't receive any explanation from user, his workers are blocked and he won't get any work (his miners will stop).
Mining operations on this account were already blocked when I saw this topic.

This red message turned out to be a bit misleading, I'll correct it now.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1725



View Profile
July 01, 2011, 10:18:44 AM
 #6

Good job!

Signature space available for rent.
Veldy
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
July 02, 2011, 04:14:16 AM
 #7

Awesome!  Great to learn of additional security measures in place; I don't think this was ever announced.  I finally decided to lock my payout address a couple of weeks ago, so I am really surprised that such a trojan/bot was created [not to mention it shows identity].  I don't know if most people have locked their address, but I hope so. At first I didn't like the idea, but now it doesn't matter.  I shuttle my coins to another wallet ... another client on one of my mining boxes and once confirmed to my satisfaction, I shut the client down, encrypt the wallet.dat to wallet.dat.asc and put it in safe storage.  No decryption keys on ANY of my machines nor accessible to anybody unless they get to one of a few locations ... and past my dogs, security system, and my pistol or shotgun (no joke) in one of the locations ... where I live Smiley.

I highly recommend a backup wallet and full public/private key encryption to avoid significant exposure should your machine be compromised [including physically].

If you have found my post helpful, please donate what you feel it is worth: 18vaZ4K62WiL6W2Qoj9AE1cerfCHRaUW4x
Tasty Champa
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
July 02, 2011, 04:30:10 AM
 #8

Honesty,
Fuckin NICE! Smiley


Deepbit +1
airdata
Hero Member
*****
Offline Offline

Activity: 1148
Merit: 501



View Profile
July 02, 2011, 04:53:08 AM
 #9

Wonder what flags they set?

If you just threw it to full speed a user would likely find it fast if they were having full cpu constantly.

▄▄▄▄███████▄▄▄▄        ▄▄▄▄███████▄▄▄▄        ▄▄▄▄███████▄▄▄▄
▄▄█████████████████▄▄  ▄▄█████████████████▄▄  ▄▄█████████████████▄▄
▄█████████████████████▄▄█████████████████████▄▄█████████████████████▄
██████████▀▀  █████████████████▀      ▀████████████████▀      ▀████████
▄█████████     ████████████████   ▄██▄   ██████████████   ▄██▄   ███████▄
████████████   ███████████████████████   ████████████████████▀   ████████
████████████   █████████████████████▀   ▄██████████████████     █████████
████████████   ███████████████████▀   ▄██████████████████████▄   ████████
▀███████████   █████████████████▀   ▄██████████████████   ▀██▀   ███████▀
███████████   ████████████████          ███████████████▄      ▄████████
▀█████████████████████▀▀█████████████████████▀▀█████████████████████▀
▀▀█████████████████▀▀  ▀▀█████████████████▀▀  ▀▀█████████████████▀▀
▀▀▀▀███████▀▀▀▀        ▀▀▀▀███████▀▀▀▀        ▀▀▀▀███████▀▀▀▀
......swap...Swap, Earn, Bridge, Mint Crypto
& NFT in Multiple Chains
.
...MVP LIVE...
.
steelhouse
Hero Member
*****
Offline Offline

Activity: 717
Merit: 501


View Profile
July 03, 2011, 12:24:53 AM
 #10

I think I might of had this, however it shows slow mh/s on your computer.  What I did was reinstall windows to fix it.
d3m0n1q_733rz
Sr. Member
****
Offline Offline

Activity: 378
Merit: 250



View Profile WWW
July 08, 2011, 08:29:41 AM
 #11

If you do happen to find this, there's one of two places the autorun could be located.  One is in your start menu.  The other is in your Task Scheduler.  Very rarely will you find it in your registry, but if you see the miner running and you didn't install it, run a registry search to see if you can find any instance of it or a batch file to run it.

Funroll_Loops, the theoretically quicker breakfast cereal!
Check out http://www.facebook.com/JupiterICT for all of your computing needs.  If you need it, we can get it.  We have solutions for your computing conundrums.  BTC accepted!  12HWUSguWXRCQKfkPeJygVR1ex5wbg3hAq
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!